Securing an enterprise resource planning (ERP) application such as SAP or Oracle’s E-Business Suite (EBS) can be a daunting task. ERP environments are massive collections of databases, applications and interfaces to other systems. Just trying to figure out what is core to the ERP suite itself can be difficult.
I personally am not a database administrator (DBA). I know enough SQL to work my way through an audit, build reports and generally follow a technical discussion. What I cannot do however is build a schema from scratch or do heavy performance tuning. But that’s ok. From a security standpoint we don’t need to be an expert with every possible application or infrastructure component.
When considering security for an ERP you really have three layers to worry about. Infrastructure, which includes your servers, OS, firewalls, routers, etc. would be the first layer. The second layer is the database layer which includes the data dictionary, tables, fields, etc. The third and final layer is the application with which end users interact with the database and create records or transactions. The focus of this article is the actual database layer. We focus a lot on the infrastructure and applications so I wanted to shed some light on the actual database.
Note: Commands in the following sections refer to Oracle environments. They may need some tweaking for other databases such as Sybase, MS SQL or MySQL.
So in such a complex environment, where do we begin? Let’s start with simple user access. In an ERP system, user authentication will often be done within the backend database environment. This is a good place to start looking at security. Running the command SELECT * FROM DBA_USERS will provide you listing of all the users of the database. This includes attributes such as password, default tablespace and profile. With this you can begin a review to see if there are any stale users or potential shared accounts.
Another good query is SELECT * FROM DBA_PROFILES which will list out all the profiles and their attributes. This is a great method to determine the settings for profiles and begin to look at actual user access.
Once you have the users and profiles enumerated you can then move on to roles. Run SELECT * FROM DBA_ROLE_PRIVS and SELECT * USER_ROLE_PRIVS. You can now compare a user with their role and determine their core level of access.
With this information you should be able to begin building a basic security profile of the system. Does every user have the Sysadmin role? Have any of the profile option defaults such as SignOn:Notification been modified? If you have little confidence in security at the user access level you might as well skip going further. There is simply no way to ensure data integrity if you can’t control who has access to that data and what they can do with it.
Hopefully this will help you in your attempts to tame the beast which is ERP. I’ll provide some additional tips later this week.
- HIPAA Compliance
- PCI Compliance
- SOC 2
- FISMA / FedRAMP / RMF
- NYDFS Cybersecurity
- Cybersecurity Maturity Model Certification (CMMC)